diff --git a/.github/workflows/ci-bazel.yml b/.github/workflows/ci-bazel.yml index 013b52ca4..d203d2d42 100644 --- a/.github/workflows/ci-bazel.yml +++ b/.github/workflows/ci-bazel.yml @@ -2,6 +2,8 @@ name: CI (Bazel) on: push: branches: [main] +permissions: + contents: read jobs: build: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/ci-cmake.yml b/.github/workflows/ci-cmake.yml index d2d03afab..2287779ff 100644 --- a/.github/workflows/ci-cmake.yml +++ b/.github/workflows/ci-cmake.yml @@ -2,6 +2,8 @@ name: CI (CMake) on: push: branches: [main] +permissions: + contents: read jobs: build-linux: runs-on: ubuntu-latest diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 44ac9dc29..41a892d35 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,8 @@ name: CI on: push: branches: [main] +permissions: + contents: read jobs: build-appleclang: runs-on: macos-latest diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 860da6236..e3f94fa06 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -3,8 +3,16 @@ on: pull_request_target: branches: [main] types: [opened] +permissions: + contents: read jobs: close: + permissions: + contents: read + # We have to use two different APIs below, + # so just grant two different permissions. + issues: write + pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 2680db24c..0767cc5a8 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -5,6 +5,8 @@ on: build: required: true type: number +permissions: + contents: read jobs: wheel-linux: name: Linux ${{ matrix.os }}, ${{ matrix.arch.name }}, Python ${{ matrix.ver }}